With the increased use of telecommunications systems, information security has become an important aspect of promoting communications over various communication links such as over the Internet, wireless links and other communication links. Ensuring that a particular entity, such as a user, software application, network node or other entity, is a proper entity that has proper authorization to use the information security system, has become an important consideration in designing information security systems. Present methods for registering entities for using information security operations, such as public key based information security systems, can involve distributing a reference value (RV) or other identifying information that may uniquely identify the entity, along with an initial authentication key (IAK) or some other authenticating information that is provided to the entity.
For example, when a user first signs onto a public key infrastructure system, out of band information such as the reference value (RV) and the initial authentication key (IAK) may be communicated through the mail, or other out of band mechanism to ensure that the information is not intercepted by an unscrupulous party. Initial authentication keys may be, for example, MAC keys used to authenticate a user that employs a specific reference value. The reference value may be, for example, a random number, employee identification number or any other suitable identifying information. However, with out of band communications of such information, costly initialization procedures result. For example, in a corporation that has 100,000 employees, the out of band communications can require enormous amounts of resources. In addition, personnel typically must be available around the clock if a new user wishes to be initialized on a system at any time of day.
Some conventional systems use in band communications to provide pre-existing secret information that is known, for example, to a registration server. For example, pre-existing secret information may be, for example, an employee identification number stored on a registration server of the corporation. Such initialization methods typically generate an initial authentication key and/or reference value based on the pre-existing information and sends this information back to the client over a secure link. This may require, for example, a secured session to obtain initial authentication keys and reference values for initialization. However, known systems typically then discard the information and require regeneration of new information security authentication information such as random numbers after initial authentication has been granted, to continue use and access to the information security system. Problems can arise with known systems since known systems typically have to return an initial authentication key to an entity by a secured link or through an out of band communication.
Other known conventional systems require new information such as initial authentication keys and other identifying information be created. However, most information communication systems already employ some type of identifying information, such as employee numbers or other information, that is confidential which could be used to authenticate a particular user for access to an information security process. However, the shared information is typically kept in a back end data base and an information security system such as a software application may not use any other pre-existing shared information since the information may relate to other software applications. One solution has been to produce custom software applications for each different environment or to include a list of questions to be asked locally at the remote terminal which can be read by an application. However, the creation of new applications requiring their separate initial authentication keys and new reference values can require a great deal of development costs. Some systems provide a list of questions to request suitable access information. The access information is generated by each application. Also, the distribution of a list of questions does not typically allow different questions for different users unless it is known ahead of time that a particular user will be using a particular terminal. As such, there are environments where distributing reference values and initial authentication keys is not feasible. For example, when attempting to register a large number of geographically distributed users, providing each of them with a reference value and initial authentication key can severely hamper deployment of the application.
Consequently, there exists a need for a system and method for initializing operation of an information security operation for an entity, that leverages pre-existing shared information, such as secret information, to assist in entity registration. In addition, such a system should be relatively automatic to allow secure automatic registration of an entity for use in security operation.